Bug 180854 - Default permission bits for /var/account are insecure.
Summary: Default permission bits for /var/account are insecure.
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: misc (show other bugs)
Version: 9.1-RELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-25 20:40 UTC by pl
Modified: 2018-01-03 05:16 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description pl 2013-07-25 20:40:01 UTC 
The default permission bits for /var/account are set to 655 right after you installed the FreeBSD base system.

However; because the tools used for process accounting do not take the current user account into consideration this means that anyone who follows the instructions from the FreeBSD handbook to setup process accounting ends up with a potentially dangerous setup because from that point on all user accounts on the system can access the collected accounting data, for example by using lastcomm.

The instructions I'm referring to can be found here:
http://www.freebsd.org/doc/handbook/security-accounting.html

Fix: 

Either using "chmod 650 /var/account" to limit access to root and the wheel group only, or perhaps using "chmod 600 /var/account" to limit access to root only.

My suggestion would be to change the default permission bits for /var/account.
How-To-Repeat: * Install FreeBSD 9.1-RELEASE (though I have reasons to assume this also applies to other versions).
* Enable process accounting using the instructions from the FreeBSD handbook.
* Run /usr/bin/lastcomm using a regular user account.
Comment 1 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 08:01:42 UTC 
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped